Ignore it and move on. It is not your responsibility. While you are being a nice guy in trying tell management, it is beyond your responsibility.
Now, I'll indulge you for a minute. If you decide to send a letter, make sure it is certified so you know if/when they get it.
Blowing the PCI DSS whistle may not be enough, because for PCI DSS you only need to encrypt any traffic which touches credit card data.
And time for the reality check. You are one step above some kid with a new laptop who wants to war drive in his neighborhood to sell their services as a "security professional" by locking down wireless routers.
And last but, not least, you did not obtain permission to access their network. As mentioned, depending on where you are, simply obtaining an IP and browsing the network is an illegal act. You've admitted to doing this twice. Once on your phone and once on a laptop. You also have tried to use the networks internet. The internet may have a proxy. Leading me to believe that you are not familiar with the concepts of networking or security beyond "Let's try to connect to open APs".
Doing something ethically, means not breaking laws, having permission, and signed contracts limiting your liability. You say you are being ethical, since you like movie quotes, "You keep using that word. I do not think it means what you think it means." - The Princes Bride.
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP